Views

Search

Toolbox

Captain Zap

From Hack Story

Who is Captain Zap? The year was 1981. The Reagan administration was in its infancy. "Elvira" was setting the Billboard charts on fire. And a young hacker was about to become the first person ever arrested for a computer crime.

Eighteen months earlier, Ian Murphy (a.k.a. "Captain Zap") along with three cohorts, hacked into AT&T's computers and changed their internal clocks. People suddenly received late-night discounts in the afternoon, while others who waited until midnight to use the phone were greeted with hefty bills. For his part in the crime, Murphy was greeted with 1,000 hours of community service and 2 1/2 years probation (considerably less than what fellow hackers would receive today). He also became the inspiration for the movie Sneakers.

Today Murphy, like other hackers, runs his own security company - IAM Secure Data Systems, Inc. For $5,000 a day plus expenses. Murphy has dressed up as a phone-company employee and cracked a bank's security system, aided a murder investigation, and conducted studies in airline terrorism. But Murphy's great love is still hacking into company security systems - with their permission - and helping them guard against potential break-ins.

Here is the W2Knews Exclusive interview. Questions 1 and 2 are in this issue, the other questions are on the W2Knews website.

W2K: 1) What prompted you in the first place to start hacking systems?

CapZap: Hacking systems, is a very broad term to underscore the thoughts that have been part of my total life. From a very young age, I was always a curious person. This love of technology stems from a very early childhood where my parents made sure that my education was of the highest caliber available in the area where I grew up. At a very young age, toys that I was given were taken apart to see what made them work. I also had an incredible curiosity when any of the service personnel would come to the house to attend to any of the problems from the televisions, to the garbage disposals, intercom system, telephone systems, and any other of the systems that are in the house.

I guess I would imagine that my first exposure to hacking a system would have begun with my early fascination with the telephone network. At that time in the early '60s, and mid-60s, there was one telephone company in the country, and the telephone company kept its technology secret from the general public in general. I would say that my first hacking thoughts were with the telephone system and the fact that I was intercepting telephone calls of the local neighborhood girls to find out what they were talking about. Making crude telephone sets to be able to go up to a pole and the ability to listen on telephone calls or to make telephone calls anywhere in the world.

Reading was a great source of pleasure and it was a lot of science books and the like to understand things that work in the world. In fact, long before we had the problems of Bio-Chemical warfare and so-called terrorist attack scenarios, I was fascinated with these systems and the manufacture of such devices and formulas. I remember the first book that I ever read on the subject and it was a book put out in the early 1970s called Chemical and Bio Warfare by Seymour Hersch of the New York Times. I also was fascinated with nuclear weapons and explosives. It opened up my eyes to what can happen at a very early age.

But I have always been a hacker if you want to put it that way. I prefer to call it unorthodox or guerilla research protocols that test the limits of society, technological advances, overall impact upon our world and the never ending thirst for finding out just what the hell is out there. I really think that the lack of our citizens to question technology, let alone understand how anything works keeps most people in a provincial view of technology and stifles their mind in general. Today, we have a huge society that does not understand the working of a simple light switch that is in their homes, and have to call an electrician to change it. And then complains that it cost $150 bucks for such a thing. Grow up and learn to hack your environment to understand what you are living in. Question everything that comes before you and don't take it for granted that it will be alright.

W2K: 2) How was IT security in those early days?

CapZap: IT Security was non-existent. It was a joke if it was anything. Password control, access control, information control did not exist in any real world environment. Only the military had the real computers out there and that made it so much more fun. In fact for all of you who need a history lesson, the Internet was not something that just came along. This was a network that was built for war, nuclear war and a way for the military to converse after the big one to see if they needed to do something else to the other side. Now one of the problems of IT security was that no one ever had to really think about all of this before. No technologies really were in the environment and no one really thought that such things could occur. Computers were large machines that people only saw on PBS or in science fiction movies that were walls of blinking lights, and reels of tape spinning around. No one really thought of access except in research facilities or the like.

Access at first was a physical being, you had to get to the systems, and telecommunications was a joke. 300 baud was considered to be fast. It was the days of teletype and DEC printer terminals, card readers and it was difficult in general to just get online. The security issue had yet to raise its head in general. Telephone switches and systems were fair game for testing and exploration. It was very easy and guessing the password, like guest was simple and easy. No one ever changed the passwords because no one thought that anyone had access to the systems except the systems' owners.

And then came the vast wake up call: war-dialers and password hackers, simple programs that ran on the likes of Apple IIE or a Franklin Ace 1200. These machines were nothing more than souped-up calculators. And still we have the stupidity of the masses being led by their noses by the likes of Microsoft and the other of the cadre of monopolistic behavior. Such players include the likes of Symantec, and Oracle, the loss of the Novell's of the world and the fact that such entities are controlling the lack of and the complete control of the security that is now considered to be the real powerhouses of the cyber-world. And it is these guys that control so much and make sure that no one else will be able to make a buck or produce another method of security that really works, is a great shame of today's computer environment. In essence, Microsoft needs to wake up and really release the source code of the systems that control 80-90% of the world's desktops. The real lack of security today is the simple fact that no one is allowed to look at the recipe of the broth. And without that recipe, it is going to continue to get worse.

But the reality is that the likes of Microsoft and Oracle, the others who control the technologies that are now so fully entrenched in our so-called information society are still causing the failure of the security of millions due to their greed and inability to allow others to see the magic behind the scenes. But of course, when there was a security problem before, it was never able to traverse the globe in a matter of hours and we did not have the arrogance of the corporations, the malevolence of the few cyber-punks who unleash various viruses and other crap upon the masses due to the fact that so many are controlled by Redmond.

W2K: 3) From your perspective, what has changed in the security posture of today's companies?

CapZap: Security was pleaded for by a number of us from the early 80's right up to today. We held back because nothing was happening to the mainstream systems and not many systems were even connected on a full time basis. Only the military had systems connected on a full time basis, and that network, the Arpanet was the playground. Today, a NIC is standard in most computers, broadband is standard in the general population!

But we still see the various rejections of security from the masses because they don't understand the need. Companies still don't see the cost benefit and only respond once they have had an incident. The ideas of security are still back-burner to many system's owners little and big alike. Costs of over expensive software that comes with major flaws in the security arena offers no confidence to any consumer out there and the sheer fact that the systems are so vulnerable to attack from any point on the planet is a special cause for the need of security to be addressed completely. Computer viruses are rampant and most people today still have no idea that they have to update their anti-virus software. And still we have the masses scurrying to buy the latest flawed masterpiece from whomever and then have to download updates and patches to make it work. And if the patches do sometimes work, then you are lucky.

In addition, we have the problem that the systems are so many, software so buggy and so many problems are so wide spread, that even if a vast number of patches are downloaded, still we have the others who are not "fixed" and the problem comes back in spades. We have a major problem with so many systems and owners who are educated in so many stages of computer usage. From the simple home user with the scourge of AOL hell to the sophisticated user who are super techies and build their own machines from weekend computer shows, we have such a vast cornucopia of potential problems that it boggles the mind.

Security today is now reported as a brief news story on your local news with stories of the Love bug, Melissa, and other such crap happening. As of the last few days, "Bugbear" has come around and made the local news as a warning. But still we have a vast sea of morons who have no concept of such things. The Klez virus continues to plague any number of us each and every day and then we have the continued problem of Spam. Spam has become a major problem and it has reached a point where even I can not take control of the volume of the crap that comes to my mailboxes each and every day.

Between the constant offers to grow my breast, my penis and gamble, it looks like I would have a pretty good weekend according to the mail that arrives each and every day. My personal mailbox has made it to 150 spams a day. In these spams that go to a website or renegade IP address, there is the vast potential to inflict major damage to your machine and you not even know it. Trojans and other silicon biologics are hidden in such emails and are commonplace these days and still we have those of you who don't see the need to be vigilant in the cyber-arenas. Stupidity because of cost is one of the problems that we all face.

Anti-pirate technologies are worthless and only proceed to piss off the users. AOL was found in the mid to late 1990's to have installed software on computers that played music cds without the user's permission. And the cost and the backlash was too much to bear. But still this same trick was tried again in the last 12 months and again, it backfired again. And now we have the ability of the media giants to silence the web from music anywhere on the planet because they think that is cost them too much in lost revenue. But in fact with all of the security apparatus being bandied about as a cure-all of piracy and software protection, the day it is released, there is a way to defeat it all. Microsoft will continue to piss off the users who have multiple computers and force them to allow Microsoft to know their machines from the inside out. WHY?

The problems of security are vast, ever changing and will continue to be a major pain in the ass to all of us now and in the future. And in all of this fray we have the problems of the users who are just plain stupid to begin with. No firewalls, you get hacked, no anti-virus, you get sick and die, no control of your connections, you may get a knock at the door from some very nasty guys in bad suits and worse sunglasses with big guns. Security is as simple as keeping your connection secure and understanding that you can get hijacked anytime. You lock your car, why not lock your computer.

Let's look at one thought for all of you to ponder. Now how many of you work for a living? And for all of you that do work, you have had to apply to some very basic and some complex employers. How many of those employers have run your background and then not hired you because you have a blemish on your credit record. Now why is any employer running your credit in the first place? Am I being hired because I pay my bills on time or because I can do the job required on the position? And of those employers that run your background, what happens to that information? Do you have a right to see that information that they gathered and do they destroy it properly? Do you destroy your information that comes in the mail?

Now your security issues are yours alone. You are responsible for your security posture and your total exposure to the rest of the world. Leave your door unlocked on your car and it might get stolen, same with your house, might get robbed, you are taking chances each and every day with your informational security status.

W2K: 4) How easy is it for you (in today's environment) to still penetrate a medium size business?

CapZap: It has gotten a little bit tougher to get into systems, but it is there and you have so many tools out on the net and so many flaws that is becomes childs play. Scripts are rampant all over the net and systems' owners do not take advantage of the security tools available for free. In fact it comes with a fun factor to really think about, it comes with an automated view. So much that you can now just go to dinner and get back and find the breaches in systems just waiting for you to play with.

Systems' owners have not created positions for security protection policies because they themselves do not understand these needed policies. And then we have the lack of understanding from the users who will let you know anything that you need to know if you just call them and ask. An authoritarian voice with the right combination of buzz words and a bit of humor will get you past anyone on the phone.

There are no real password policies in any of the small or mid-range systems out there in force. It is a very interesting mix of security and lack of knowledge. Security still costs money these days and most companies are going to cut back where there is no profit to be seen up front and in your face. And we all know that security is an expensive proposition and it is required.

But the fact is that senior management or even your boss will not see the value of security unless it takes effect and even then you never know if it ever really worked these days. Even with all of the security postures fully in force, the advantage of the cyber world is that the systems can be attacked by hackers; pros looking to use the systems, your employees who store porn or their baseball card collection or the latest recipes from Emrril's cooking shows on the systems, or whoever else wants to use your systems. You have to have a due diligence factor fully in place and in constant force for any form of security to be effective. It is open season on your systems out there and it is a global assault force from anywhere on the planet that you have to face every minute of every day.

Can you even start to figure out where the force that attacks you is coming from? Do you have the ability to stop me from anywhere on the planet? Can you figure out that I have figured out that your systems are so weak minded that it is just too easy to overrun you and seize control of your very digital life? And the very worst point is that you go ahead and promote your systems and people in the news and then you give me a chance to understand more than you can ever understand. When the systems are under attack, as it is now common place, it is done under a way that most system's owners will never know. And this gives us or me a better chance to go after you.

Now one of the problems that is growing each and every day is the simple fact that any form of so-called law enforcement is sadly lacking and grossly understaffed when it comes to computer related incidents. Law enforcement is so far behind in technology and ability, that well, it smacks of stupidity. After all, who would sign up for a job where you can be radio dispatched to complete and total morons who can shoot and kill you all for 35K a year if they are lucky. People with brains do not become cops and not for such low levels of pay to boot. In addition, too many incidents overwhelm the law enforcement so-called professionals.

Then there is the fact that because it is a crime of economics and due to the very nature that information security incidents can become subjective in value and injury in the total scheme of things, the law enforcement attitude seems to be at the 50K dollar figure before they will even lift a finger. Think of it this way, you report your car stolen, maybe you get a visit from the cops, more than likely, you get an incident report number and a curt phone call from these clowns saying that they may or may not find it. Security for the most part is a multi-edge sword for the companies and for the interloper. Most law enforcement persons have no real understanding of computers in general, as do the owners themselves. Remember that you are going to the local 14 year old who understands the complexities of the systems better than you do. And that is the same problem that law enforcement has, they will not invest the time, money or effort and don't have the time money or effort available to investigate every computer related incident.

First when you go attack a system, you have the advantage to take control and use all sorts of devious methods that range from Tech support & social engineering to direct physical attack to just outright banging on the IP door and breaking into the network. It is most enjoyable to see such things happen and to then gain access through the easiest means possible. But in the real world, it is far easier than the security materials providers care to really think about. Boxes put in place to so-call secure the network still have gaping holes that allow any interloper to gain access, but makes it easy to gain entry for a skilled professional. In today's security environment, the advantages of a skilled professional, be it for the betterment of the companies' information security or for the invasion of a companies database, has become so much childs play these days due to the multitude of scripts, known flaws and the loss of true dedication to the cause.

W2K: 5) How do you make your money these days?

CapZap: A very interesting question indeed! Retired in some respects, active and hearty and hale in other respects and well just keeping my fingers in so many pies. I still do investigations and consulting for a number of international clients. It is now so much easier to do the consulting with tele-consulting and information transfer with high speed networks so readily available these days. In addition, I have just completed a British video series for the Discovery Channel on Information Security, completing a number of interview requests like this one and writing my 4th book on security issues and the ever-changing aspects of the internet, completing a paper for publication in the near future titled "A Madman's view of Terrorism!" on a major International Terrorism and Information Warfare Website and in addition for a major print publication, operating part time, an HVAC firm in Florida, what a lucrative market that is; and being in early retirement in sunny Florida out fishing on the D.J.6 on the Gulf Coast for most respects, most days. Times have changed so much and the advent of cell phones and day trading and stocks is now my daily play job too. And computers have even made that job automated for the most part. It is a very interesting lucrative and exciting mix to say the very least.

W2K 6) What is the ONE thing you would advise W2Knews subscribers to help them protect against hacker penetration?

CapZap: Due to companies' antiquated views of security and such programs being static in nature and budget, it behooves any firm to examine the needs of security on a dynamic basis every quarter and more. Users and systems are a dynamic environment and ever-changing in profiles and data streams. Systems attacks are S.O.P. today and well you have to have a brain to stay on top of things. I would really suggest that a hacker viewpoint be established to attack the systems everyday with all of the tools that are available to all from the net. Why not have an office of systems in security research with a dedicated person who does nothing but surf the web each and every day, looking for ways to break any and all systems of the companies' environment. This includes any systems or support structure that has any form of intelligence and connections to the real world. The HVAC, the water systems, internal electrical grid, back-up systems, telecommunications, physical electronic and logical plant, waste management and document destruction; and anything else that can be used as a possible information, weapon or intelligence gathering resource. If you don't have a clue by now as to what you are up against, and that is the entire world, then you need to go sit in your box and close the lid and die.

And with that I bid you a fond farewell, for the fish are calling and I don’t want to miss the tide. It's off to the Gulf of Mexico and another day of laptop / cell phone, stocks and fishing fun.